Mastercard International Consumer Credit Card Summit 2006
Address by Australian Federal Police Commissioner Mick Keelty APM
Topic: ‘Security & Fraud’
10 May 2006
Check Against delivery
I’d like to begin by acknowledging the traditional owners of this land, the Cadigal People.
It is important to recognise their historical connection to the land on which we gather today.
Thank you for your invitation to be involved in today’s discussion on Security and Fraud. I’m sure you will have many questions relating to what you expect from the Australian Federal Police to help protect your business and the wider Australian community from the impact of fraud and other types of economic crime.
But before we talk about the AFP’s role - I’d like to talk to you about what you can do to help us achieve law enforcement objectives.
By the end of today I hope we walk out of here with a better understanding of how we can enhance the partnership between the finance sector and the AFP - for the benefit of all parties.
Governments globally have recognised the close connection between international terrorism and transnational organised crime such as illicit drugs, money laundering and illegal movement of nuclear, chemical, biological and other deadly materials.
Author Loretta Napoleoni in her new book Terror Incorporated: Tracing the Dollars Behind the Terror Networks describes the “New Economy of Terror,” as a fast-growing international economic system with a turnover of about $1.5 trillion that is challenging Western hegemony. Napoleoni suggests interdependency between economies run by armed groups and western economies stating “as in the Crusades, religion is simply a recruitment tool; the real driving force is economics”.
This highlights that reducing economic crime is vital to maintaining economic, and therefore national, security. It also illustrates that addressing economic crime in the private sector is equally as important to public sector endeavours.
In that regard, we need all major organisations, and especially the finance sector, to understand this link, and to partner with law enforcement agencies to enhance the coordination of national and international efforts to encourage a global response to threats to international security.
Firstly, let me outline a few examples of what the AFP is doing to coordinate these efforts.
Recognising that banks and financial organisations should not be exposed to undue risk and must fulfil their lawful responsibilities regrading privacy, the AFP proposed, and government passed, Notice to Produce legislation.
Prior to this legislation, investigators had to obtain search warrants to obtain bank records when in fact we did not actually search anything!
By now being able to use notice to produce powers, we have enhanced our ability to obtain critical documents quickly, while ensuring that the balance remains between respecting the rights of individuals and meeting law enforcement objectives.
Apart from specific powers, there has also been express legislative recognition of the important role that the AFP plays in conjunction with partner agencies in Australia and around the world.
For example, an amendment to the AFP Act to ensure information can be shared without contravening privacy laws recognised the importance of AFP’s role in co-operating with other law enforcement agencies in Australia and overseas.
This is particularly important because economic crime is part of a much bigger, multi-jurisdictional picture.
It is one thing to have the laws and mechanisms to allow you to act domestically – but we as an organisation can be challenged when dealing with diverse laws and procedures in other countries.
But I don’t need to tell you about the challenges of operating in a global environment.
If you look at an example of today’s sponsor from a commercial perspective, just one product - MasterCard's Commercial Card is accepted at 32.8 million locations worldwide, including on the Internet. Alternatively, something that could affect most of you in the room is the potential for fraud and identity theft in Australian call centres based in overseas locations.
Here is a situation where you are providing personal information to international outsourcing companies who are not governed by Australian laws and processes.
How do we work with other foreign governments to ensure that correct security procedures are enforced and policed? That is our challenge.
One example of how successful multi-jurisdictional co-operation operations can be is a recent Bot Net investigation.
Following a series of Distributed Denial of Service (DDoS) attacks upon Internet Relay Chat (IRC)[1] servers in Australia in 2005, the Australian High Tech Crime Centre (AHTCC), using information provided by the Belgian Federal Computer Crime Unit, began investigating the attacks which also affected the United States, Singapore and Austria.
The attacks were carried out by means of IRC Bot Networks (botnets). Botnets are networks of computers on the Internet, which have been enslaved by malicious software and are then remotely controlled by criminals.
On 22 March 2006 officers from the AFP, AHTCC, NSW Police and Victoria Police assisted with the execution of Commonwealth search warrants in the ACT, NSW and Victoria.
Following the execution of the warrants, a man was arrested and charged in Victoria with one count of using a telecommunications network with intention to commit a serious offence under the Criminal Code.
Whilst there are numerous inter agency ‘success’ stories as I have previously stated I would like to talk to you more about enhancing public and private partnerships.
Organised crime is diversifying into economic crimes due to the financial returns and perceived lower risk. In the time that it takes to send a fax these days millions of dollars can be potentially stolen and moved off shore electronically.
To counter this type of fraud the public and private sector, particularly the financial sector, will need to collaborate and work in partnership.
The last Australian Financial Market Association report stated that the continuous striving for greater efficiencies, rapid and continuous change, flatter organisational structures and increased reliance on technology all serve to expose firms to greater risk of fraud.
It also stated that ‘other factors contributing to the global increase in fraud include the failure of governments, law enforcement and regulators to adequately address the problem, due largely to lack of resources and expertise.’[2]
I concur - we don’t always get it right first go.
We need to work in partnership with the industry to achieve the right balance between protecting the community from crime and the potential high cost of compliance with regulation.
Examples of where this is occurring is the Australian High Tech Crime Centre (AHTCC). The AHTCC is working in partnership with private sector companies such as Telstra on the Australian High Tech Crime Centre Workshop, and with Microsoft on exchange of technical expertise and information. Specifically, the AFP worked with Microsoft on the development of software platforms for the Child Sex Exploitation Team that is also being used internationally. We also have a variety of relationships with anti-virus software providers where information on global trends and patterns is shared as well as joint training initiatives.
As a result of the Government having identified that 90 per cent of our critical infrastructure assets are in the hands of the private sector or operated on a commercial basis, the AFP developed a joint partnership to assist in protecting Australia’s National Information Infrastructure (NII) with Defence Signals Directorate, and ASIO called the joint operating arrangement. NII comprises the information networks of essential national services such as telecommunications, banking and finance, transport and distribution, energy and utilities, information services and others such as defence and emergency management.
The AHTCC is the Australian law enforcement response to the investigation of attacks against the National Information Infrastructure.
Under the auspices of the AFP, the AHTCC is party to the formal Joint Operating Arrangement established between the AFP, the Australian Security Intelligence Organisation and the Computer Network Vulnerability Team of the Defence Signals Directorate.
There is also the Joint Banking Finance Sector Investigation Team (JBFSIT) located within the AHTCC. The team consists of Federal and State Police, as well as bank investigators from the major banks including, Commonwealth Bank, ANZ, National Australia Bank, Westpac and Suncorp Metway. The JBFSIT conducts investigations relating to internet banking fraud, phishing and related criminal matters, including fraudulent job recruiting websites.
The JBFSIT receives information on a daily basis from a number of financial institutions and deals with the impact and effect that Internet fraud has on each organisation. It is responsible for collating a monthly report which is disseminated to the Banking and Financial Services sector which outlines trends and issues which has emerged during the reporting period.
The JBFSIT is proactive and has a number of matters currently before the courts.
The AHTCC and the Australian Computer Emergency Response Team (AusCERT) are working with the banks and international partners to identify and shut down foreign hosted ghost websites and exchange information on unauthorised Internet banking.
The Australasian Consumer Fraud Taskforce (ACFT), established in March 2005, is composed of 18 Commonwealth, State and Territory Government regulatory agencies and departments that have a remit for consumer protection and education in relation to frauds and scams. 19 private sector organisations are also partners in the campaign – they include all the major banks, credit card companies, credit unions and major insurance companies, together with 13 community groups.
Education is one of the key weapons in the fight against internet crimes.
This is one of the most effective ways we can work in partnership - with industry committing resources to education on issues such as scams and phishing, and ensuring the community is aware of the steps they can take to minimise these criminal activities.
The Federal Government supports the partnership approach. They have funded investigations to the tune of $300 million over 6 year’s.
Yesterday it announced in the budget a $12 million boost to the Trans National Crime Centre at the University of Wollongong that will train people in the areas of international smuggling and fraud.
The Centre currently trains officers from key Australian agencies such as the Australian Federal Police as well as international students from 15 countries across the Asia-Pacific region. This will help us follow the money trails, and enhance our understanding of the sources of funding for terrorist groups.
Also announced was the establishment of the AFP led Identity Security Strike Teams. Funding of $19.6 million over four years will contribute to the implementation of the Australasian Identity Crime Policing Strategy.
The teams will be located in Melbourne, Brisbane and Perth, and will comprise of staff from the AFP, Australian Crime Commission, Customs and Immigration. They will be based on the successful Identity Crime Task Force comprising State and Commonwealth agencies which operates here in Sydney.
The Government has invested a great deal to combat economic crime because it recognises the cost to the community.
The Australian Institute of Criminology recognises in regards to community, the most damaging organised criminal activity is serious economic crime and that the rise in identity fraud has been linked to organised crime.
Closer to you, according to the 2005 PriceWaterhouseCoopers report, 63 per cent of businesses reported an incidence of serious economic crime. The average value of this economic crime was $3.1 million per organisation.
In the 2004-05 financial year the AFP restrained approximately $90 million dollars in proceeds of crime. In excess of 60 per cent of these proceeds were from economic crime.
In Australia, identity crime is already recognised as a serious and growing problem for business. It is estimated to be costing anywhere between $1 billion and $4 billion annually. Worldwide the cost has been put as high a $2 trillion.
Part of the reason for this is the ongoing and rapid advances in low-cost technology, which are providing criminals with unprecedented capacity to produce high quality replicas of a broad range of identity documents.
Also the cost of storing data has dropped dramatically over the years. Many companies have seen that data mining yields rich customer and product information. As a result, more companies are storing customer information than ever before. Unfortunately organised crime has figured this out and actively seeks to steal this information and exploit it for financial gain. The modern day equivalent of a robbery!
There are procedures being developed to deal with the advances that organised crime groups are making such as anti-money laundering legislation (AML) and chip technology. I know there are some people in this room who might conclude these initiatives are not in their best interest or financially prohibitive but fraud is an issue right now and will continue to become one in the future.
Failure by the financial markets to introduce appropriate anti-money laundering controls will not only expose the sector to undue risk, but will adversely affect the reputation of Australia’s financial markets in the international community and undermine Australia’s fight against money laundering and terrorism.
It means a risk to our competitive advantage – if one company suffers – you all may.
Is the risk worth the cost savings? A potentially catastrophic breach could cause irreparable harm to reputation of a bank
That’s what I’d like to talk to you about now – for all the discussions about the burden of compliance, how can we work together to improve the security and integrity of our data.
In your own ‘backyard’ one of the largest fraud scandals in Australia related to unauthorised foreign currency derivatives trading in National Australia Bank (NAB) by four ‘rogue traders’ in 2003 and early 2004.
The total loss arising from foreign currency options trading was AUD$360million. According to media reports, the scandal wiped out almost AUD$2 billion from the bank’s market capitalisation within a few days.
The World Economic Forum 2005 Global Competitiveness Report ranked Australia’s financial sector first in the Asia Pacific for general health of the banks with sound balance sheets and seventh in the world for market sophistication. Australia also ranks second in the Asia Pacific region for both financial market sophistication and venture capital availability.
But this could change.
We all need to change, to keep up with the pace of technological change that will impact on the security of your business.
If we look at credit cards - there has been a positive reduction in fraud with the introduction of chip technology in some Asian countries.
We know a magnetic strip and signature is no longer as affective as it once was. We also know that high quality counterfeits have been produced for many years now. Research shows the reduction of credit card fraud in Asia as result of the chip enabled smart cards.
Modern retail practices result in a lack of knowledge and anti fraud practices amongst a highly mobile workforce. To rely on humans to detect forged credit cards is not advantageous at all. The technology in the form of chip ‘smart cards’ has existed for sometime and two-factor authentication is more widely accepted now in the Asia Pacific.
We know that in Malaysia for instance the amount of counterfeit credit card fraud has been reduced by 80 per cent since the introduction of chip enabled smart cards.
Here in Australia, costs should be factored into future budgets now to prevent what could be a much more expensive and damaging alternative.
The AFP devotes 26 per cent of our total investigative resources to fraud investigations and an even greater investment with the Economic and Special Operations Function receiving 42 per cent of overall investigation resources.
However we conducted a study which was reviewed independently by the University of NSW, which showed that by way of effectiveness, for every $1 invested by the AFP in economic crime investigations, it returns $6 in social benefits to Australia.
To sum up I’d like to re-iterate that we are already well on track to combat fraud, but we need to do more to make sure we arrest any future increase.
To do this we need to work together in cooperation with business, as you hold much of the information and expertise we need.
Partnerships like this require initiative and hard work. However the rapidly changing security environment has had an impact on the business world and highlighted the growing need for all of us - regardless of what industry we belong to - to cooperate more closely with each other to strengthen our collective security.
I look forward to working with you in the future.
Thank you.
[1] IRC enables people connected anywhere on the Internet to join in live discussions using client software which connects to an IRC server